[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <001e01c47aeb$cb80dde0$6701a8c0@anchorsign.com>
Date: Thu, 5 Aug 2004 05:57:40 -0700
From: "Thor" <thor@...merofgod.com>
To: "Bryan Burns" <bburns@...iper.net>,
"Paul Kurczaba" <paul@...pis.com>, <albatross@....it>,
<bugtraq@...urityfocus.com>
Subject: Re: New MyDoom variant
I actually captured the new variant (*a* new one, anyway) a few days ago
that no AV picked up and forwarded it to Trend and Symantc (I think the SF
guys already had it). The original attachment was a .zip file with the
contents being a .doc.exe extension.
The zip was named after my own domain, as in "domain.com.zip" and the file
itself was "domain.com.doc .exe" with the .exe spaced way out
like the older versions did.
The text of the email was:
"Dear user user@...ain.com, mail system administrator of domain.com would
like to let you know that:
We have found that your account was used to send a large amount of spam
during the last week. Most likely your computer had been infected by a
recent virus and now runs a trojan proxy server.
Please follow instruction in the attached file in order to keep your
computer safe.
Have a nice day,
domain.com user support team."
HTH
Tim
----- Original Message -----
From: "Bryan Burns" <bburns@...iper.net>
To: "Paul Kurczaba" <paul@...pis.com>; <albatross@....it>;
<bugtraq@...urityfocus.com>
Sent: Wednesday, August 04, 2004 12:25 PM
Subject: Re: New MyDoom variant
> According to Trend: htm.exe, txt.exe, txt.scr
>
> According to McAfee: EXE, COM, SCR, PIF, BAT, CMD
>
> According to Symantec: exe, txt.exe, htm.exe, txt.scr, zip
>
>
> Hmm, I wonder who is right...
>
> -Bryan
>
> On 8/4/04 11:07 AM, "Paul Kurczaba" <paul@...pis.com> wrote:
>
> > What extension does the attachment have (exe, pif, zip)?
> >
> > -Paul
> > ----- Original Message -----
> > From: <albatross@....it>
> > To: <bugtraq@...urityfocus.com>
> > Sent: Wednesday, August 04, 2004 9:22 AM
> > Subject: New MyDoom variant
> >
> >
> >>
> >>
> >> The SANS Institute reports a new variant of MyDoom in the wild actually
> > not recognized by AV vendors:
> >>
> >> New MyDoom On The Loose
> >>
> >> Initial analysis (we will update as we know more):
> >>
> >> Currently (16:00GMT), signatures are not yet available.
> >> UPDATED (17:00GMT):
> >> - Signatures are starting to come out, identifying this as MyDoom.O,
> > MyDoom.P or Evaman.C
> >> - It appears that this may only work on Win2K and WinXP machines
because
> > the executable requires psapi.dll.
> >> - Copies itself to the Windows' system directory as winlibs.exe and
> > installs itself under
> > HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
> >>
> >> UPDATED (17:30GMT) - *BETA* Snort Sigs:
> >> UPDATED (17:40GMT) - *BETA #2* Snort Sigs:
> >> UPDATED (19:30GMT) - *BETA #3* Snort Sigs:
> >>
> >>
> >> var YAHOO [216.109.127.126/32]
> >> #var YAHOO any
> >> pass tcp any any -> $YAHOO 80 (msg: "Beta - MyDoom.P yahoo email
address
> > search";\
> >> sid:900018; rev:4; flow:established,to_server; flags:A+;\
> >> flowbits:set,search_uri; content: "/py/psSearch.py|3f|";)
> >> alert tcp any any -> $YAHOO 80 (msg: "Beta - MyDoom.P yahoo email
address
> > search";\
> >> sid:900018; rev:4; flow:established,to_server; flags:A+;\
> >> flowbits:isset,search_uri; content: "Host|3a| EMAIL.PEOPLE.YAHOO.COM";)
> >>
> >> Targets Yahoo's people search:
> >>
> >> http://email.people.yahoo.com:80/py/psSearch.py?
> >>
> >> NEW (1700GMT)- Example packet capture:
> >>
> >> 12:23:22.922862 10.1.0.129.1035 > 216.109.127.126.80: P 5:310(305) ack
1
> > win 175 20 (DF)
> >> 0x0000 4500 0159 0077 4000 8006 96ba 0a01 0081
E..Y.w@.........
> >> 0x0010 d86d 7f7e 040b 0050 2217 187c 6b8a 5eb1
.m.~...P"..|k.^.
> >> 0x0020 5018 4470 46c9 0000 2f70 792f 7073 5365
P.DpF.../py/psSe
> >> 0x0030 6172 6368 2e70 793f 4669 7273 744e 616d
arch.py?FirstNam
> >> 0x0040 653d 4a61 6d69 6526 696e 6465 783d 2048
e=Jamie&index=.H
> >> 0x0050 5454 502f 312e 300d 0a41 6363 6570 743a
TTP/1.0..Accept:
> >> 0x0060 2069 6d61 6765 2f67 6966 2c20 696d 6167
.image/gif,.imag
> >> 0x0070 652f 782d 7862 6974 6d61 702c 2069 6d61
e/x-xbitmap,.ima
> >> 0x0080 6765 2f6a 7065 672c 2069 6d61 6765 2f70
ge/jpeg,.image/p
> >> 0x0090 6a70 6567 2c20 6170 706c 6963 6174 696f
jpeg,.applicatio
> >> 0x00a0 6e2f 766e 642e 6d73 2d65 7863 656c 2c20
n/vnd.ms-excel,.
> >> 0x00b0 6170 706c 6963 6174 696f 6e2f 6d73 776f
application/mswo
> >> 0x00c0 7264 2c20 6170 706c 6963 6174 696f 6e2f
rd,.application/
> >> 0x00d0 766e 642e 6d73 2d70 6f77 6572 706f 696e
vnd.ms-powerpoin
> >> 0x00e0 742c 202a 2f2a 0d0a 4163 6365 7074 2d4c
t,.*/*..Accept-L
> >> 0x00f0 616e 6775 6167 653a 2065 6e2d 7573 0d0a
anguage:.en-us..
> >> 0x0100 4163 6365 7074 2d45 6e63 6f64 696e 673a
Accept-Encoding:
> >> 0x0110 2067 7a69 702c 2064 6566 6c61 7465 0d0a
.gzip,.deflate..
> >> 0x0120 5573 6572 2d41 6765 6e74 3a20 4d6f 7a69
User-Agent:.Mozi
> >> 0x0130 6c6c 612f 342e 300d 0a48 6f73 743a 2045
lla/4.0..Host:.E
> >> 0x0140 4d41 494c 2e50 454f 504c 452e 5941 484f
MAIL.PEOPLE.YAHO
> >> 0x0150 4f2e 434f 4d0d 0a0d 0a O.COM....
> >>
> >>
> >> Message subjects(?):
> >>
> >> SN: New secure mail
> >> SN: New secure mail
> >> Secure delivery
> >> Secure delivery
> >> failed transaction
> >> failed transaction
> >> Re: hello (Secure-Mail)
> >> Re: hello (Secure-Mail)
> >> Re: Extended Mail
> >> Re: Extended Mail
> >> Delivery Status (Secure)
> >> Delivery Status (Secure)
> >> Re: Server Reply
> >> Re: Server Reply
> >> SN: Server Status
> >> SN: Server Status
> >>
> >>
> >> Message body contains(?):
> >>
> >> Automatically Secure Delivery: for
> >> Automatically Secure Delivery: for
> >> Mail Delivery Server System: for
> >> Mail Delivery Server System: for
> >> Extended secure mail message available at:
> >> Extended secure mail message available at:
> >> Secure Mail Server Notification: for
> >> Secure Mail Server Notification: for
> >> New mail secure method implement: for
> >> New mail secure method implement: for
> >> New policy requested by mail server to returned mail
> >> as a secure compiled attachment (Zip).
> >> New policy requested by mail server to returned mail
> >> as a secure compiled attachment (Zip).
> >> Now a new message is available as secure Zip file format.
> >> Due to new policies on clients.
> >> Now a new message is available as secure Zip file format.
> >> Due to new policies on clients.
> >> This message is available as a secure Zip file format
> >> due to a new security policy.
> >> This message is available as a secure Zip file format
> >> due to a new security policy.
> >> For security measures this message has been packed as Zip format.
> >> This is a newly added security feature.
> >> For security measures this message has been packed as Zip format.
> >> This is a newly added security feature.
> >> New policy recommends to enclose all messages as Zip format.
> >> Your message is available in this server notice.
> >> New policy recommends to enclose all messages as Zip format.
> >> Your message is available in this server notice.
> >> You have received a message that implements secure delivery technology.
> >> Message available as a secure Zip file.
> >> You have received a message that implements secure delivery technology.
> >> Message available as a secure Zip file.
> >> This message is an automatically server notice
> >> from Administration at
> >> This message is an automatically server notice
> >> from Administration at
> >> Server Notice: New security feature added. MSG:ID: 455sec86
> >> Server Notice: New security feature added. MSG:ID: 455sec86
> >> New feature added for security reasons
> >> New feature added for security reasons
> >> Automatically server notice:,
> >> Server reply from
> >> Automatically server notice:,
> >> Server reply from
> >> New service policy for security added from
> >> New service policy for security added from
> >>
> >>
> >> The executable contains the following names that are used to search
Yahoo:
> >> Johnson, Williams, Wilson, Taylor, Anderson, Thomas, Jackson, Parker,
> > Hernandez, Gonzalez, Roberts, Patricia, Margaret, Elizabeth, Anthony,
> > Daniel, Patrick, Douglas, Carlos, Sanchez, Howard, Washington, Walter,
> > Robinson, Miguel, Jennifer, Alberto, Mathew, Taylor, Walker, Mitchell,
> > Carter, Nelson, Brooks, Jenkins, Coleman, Flores, Griffin, Morris,
Rogers,
> > Barbara, Angela, Amanda, Pamela, Martha, Frances, Cynthia, Stephanie,
> > Nicole, Andrea, Rebeca, Steven, Anthony, George, Michael, Isabel,
Marcos,
> > Camilo, Salomon, Esteban, Francis, Nicholas, Samuel, Angela, Catherine,
> > Susanna, Dorothy, Elizabeth, Andrew, Philip, Hester, Edward, Martin,
> > Gabriel, Christopher, Lawrence, Christian, Christ, Dorcas, Rowland,
Cecily,
> > Margery, Turner, Torres, Brooks, Harrison, Gibson, Pierce, Arnold,
Watkins,
> > Medina, Mendoza, Santiago, Christina, Norris, Santos, Burgess, Valdez,
> > Barber, Patton, Ortega, Estrada, Waters, Ashlee, Parson, Sparks, Morton,
> > Allison, Monique, Summers, Cortez, Barton, Deleon, H
> >> arrell, Navarro, Woodard, Meyers, Petersen, Vannessa, Douglas, Joanna,
> > Judith, Bridget, Jessica, Jeffrey, Timothy, Shirley, Kimberly, Sandra,
> > Melissa, Virginia, Dennis, Junior, Heather, Collins, Garcia, Miller,
Barton,
> > Bridget, Gillian, Ursula, Hannah, Cooper, Watson, Bennett, Sanders,
Ramirez,
> > Bailey, Murphy, Campbell, Barnes, Alexis, Samantha, Madison, Joshua,
> > Charles, Clinton, Lincoln, Houston, Claudia, Britney, Carson, Spider,
> > Laster, Jolley, Galvin, Alecia, Karrie, Ivette, Freeman, Hunter,
Simpson,
> > Hamilton, Knight, Mcdonald, Elliott, Bradley, Duncan, Weaver, Fields,
> > Chapman, Kelley, Wagner, Jacobs, Stanley, Fuller, Newman, Lambert,
Cummings,
> > Leonard, Barker, Norris.
> >>
> >
> >
>
>
>
Powered by blists - more mailing lists